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Abstract. Asymmetric password based key exchange is a key exchange protocol where a client and 
a server share a low entropic password while the server additionally owns a high entropic secret for a 
public key. There are simple solutions for this (e.g. Halevi and Krawczyk (ACM TISSEC 1999) and its 
improvement by Boyarsky (CCS 1999)). In this paper, we consider a new threat to this type of protocol: 
if a server's high entropic secret gets compromised (e.g., due to cryptanalysis, virus attack or a poor 
management), the adversary might quickly break lots of passwords and cause uncountable damage. In 
this case, one should not expect the protocol to be secure against an off-line dictionary attack since, 
otherwise, the protocol is in fact a secure password-only key exchange where the server also only has a 
password (by making the server high entropic secret public). Of course a password-only key exchange 
does not suffer from this threat as the server does not have a high entropic secret at all. However, 
known password-only key exchange are not very efficient (note: we only consider protocols without 
random oracles). This motivates us to study efficient and secure asymmetric password key exchange 
that avoids the new threat. In this paper, we first provide a formal model for the new threat, where 
essentially we require that the active adversary can break t passwords in a£\T>\ steps (for a < 1/2) 
only with a probability negligibly close to exp(— f3£) for some /3 > 0. Then, we construct a framework 
of asymmetric password based key exchange. We prove that our protocol is secure in the usual sense. 
We also show that it prevents the new threat. To do this, we introduce a new technique by abstracting 
a probabilistic experiment from the main proof and providing a neat analysis of it. 



1 Introduction 

Key exchange (KE) is one of the most important issues in secure communication. It helps two com- 
municants to securely establish a common session key, with which the subsequent communication 
can be protected. In the literature, there are two types of key exchange. In type one, two parties 
own high entropic secrets (e.g., a signing key of a digital signature). This type has been extensively 
studied in the literature; see a very partial list [2|25|7|10] . Type two is password authenticated key 
exchange, in which it is assumed that the two parties share a human-memorable (low entropy) 
password. The major threat for this type of key exchange is an off-line dictionary attack. In this 
case, an adversary can catch a function value of the password (say, F(pw)). Since the password 
space is small, he can find the matching password through an exhaustive search. See [I] for an 
example. In the literature, two types of password key exchange protocols are studied. In the first 
type, two parties only own a common password. This type is studied extensively in the literature. 
In the second type, the client and server share a password while the server additionally owns a 
high entropic private key of a public key. In this type, there are simple solutions |16|6j . In this 
paper, we consider a new threat to this type of protocols: when the server high entropic secret is 
compromised, the attacker might quickly break lots of passwords and cause uncountable damage. 
It is desired that the pace he breaks passwords is very slow. Under this, the server management will 
have enough time to realize and defend the attack. Unfortunately, previous protocols (e.g., |16|6| ) 
is not secure against this threat. 



1.1 Related Work 

The server key leakage problem does not occur in the password-only key exchange protocol since 
in this setting the server does not own a high entropic secret key at all. Hence, an asymmetric 
password key exchange against this threat is meaningful only if we have a construction that is more 
efficient than the known password-only protocols. Password-only key exchange was first studied by 
Bellovin and Merritt [3] and further studied in |5|19|27j . The first provably secure solution is due 
to Bellare et al. [3] but security holds in the random oracle model which is not our main focus. 
The first key exchange without random oracles are due to Goldreich and Lindell [13] . But it is 
very inefficient. The first reasonably efficient solution without random oracles is KOY protocol [21] 
which has 15 exponentiations for each party. This protocol was abstracted into a framework by 
|llj and improved by Gennaro [i 12] (the contribution of the latter is to remove the signature). Jiang 
and Gong [20] (recently abstracted into a framework by [21]) constructed an efficient protocol, 
where using the fastest CCA2 secure encryption [18J it costs 5 exponentiations for a client and 6 
exponentiations for a server. Katz and Vaikuntanathan [22] constructed a one-round password-only 
key exchange but less efficient than |20|24j . 

Asymmetric password based technique was initiated by Gong [14]. Halevi and Krawczyk [15] 
(also full version [16]) proposed a very efficient asymmetric password based key exchange, which 
essentially let the client use a CCA2 secure encryption to encrypt the password information. Using 
encryption [18| . this protocol only needs about two exponentiations for the client and one exponen- 
tiation for the server. It was later improved by Boyarsky [6] for security in the multi-user setting. 
However, neither of two protocols can prevent the new threat above because the password is en- 
crypted under a server public key and can be adversely decrypted without a dictionary attack if 
the private key is leaked. 

1.2 Contribution 

We first provide a formal model for the above server key leakage problem. It essentially requires that 
an adversary can break t passwords in a£\T>\ steps (for a < 1/2) only with probability negligibly 
close to exp(— (3£) for some (3 > 0. Under this assertion, the adversary can not quickly break a 
lots of passwords. Then, we construct a framework of asymmetric password based key exchange. 
Our construction is based on a tag-based projective hash family that is modified from projective 
hash family (tag-PHF) of Cramer-Shoup. We show that our framework is secure in the multi- 
user setting of |6j (under a different formalization, where our approach is a new quantification on 
the authentication failure). Our proof does not rely on the random oracles. We also prove that our 
framework is persistent, where we introduce a new technique to achieve this, which is a probabilistic 
experiment extracted from the main proof. We provide a neat analysis for this experiment. Our 
persistency holds in the random oracle model. It is open to construct a protocol whose security 
and persistency both hold without random oracles. We instantiate our framework with a concrete 
tag-PHF. Our realization only costs 4 exponentiations for the client and 2 exponentiations for the 
server, which is significantly more efficient than all the known password-only key exchange. 

Notions. For a set S, x <— S samples x from S randomly; A\B means concatenating A with B. We 
use negl : N — > M. to denote a negligible function: for any polynomial p(x), lim n _ >00 negl(n)p(n) = 
0. Probability distance of two random variables A, B over set Q is defined as 
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For a S N, define [a] = {1, • • • , a}. PPT means probabilistic polynomial time. 



2 Security Model 

In this section, we introduce a security model for asymmetric password key exchange, which is 
slightly modified from the password-only setting of Bellare, et al. [3]. Before proceeding, we first 
give some notions. 

— D: a password dictionary. For simplicity, assume T> = {1, • • • , N} with a uniform distribution. 
But our result holds without the uniformity. 

— Client Ci and Server S: Asymmetric password key exchange runs between a client Ci and a 
server S. S has a public key and a private key 9. He also shares a password Hi with Ci. is 
known to all clients. 

— Ilf* and n e s s : 77^ is a protocol instance U within client Cj, where £{ is unique within Ci for 
distinguishing different instances in Ci but it is not necessarily globally unique. Similarly, IIg S 
is a protocol instance £s within Server S. In this paper, by a general 11^, we mean U is either 
S or some client i. 

— Flowf. The rth message in the protocol execution. 

— sid^: session identifier of Ily , where U is either a client i or server S. This variable is defined 
for security analysis only. Essentially, if two instances are jointly executing a protocol then they 
have the same sid. sid is clear only when the protocol description is available. 

- sky 1 : session key defined by instance Ily . 

— pid^ 7 : the party Il^y presumably interacts with. 

- stat^ 7 : session state of TT^ 7 . Simply, it is the intermediate data (other than the long term 
secret) necessary for the remaining execution of . If Il^j finishes successfully, by default 



Partnering. iTj 7 and Il'y are partnered if (1) pid^f = V and pidy' = U; (2) sid^ 7 = sidy'. 

Adversarial Model. There are n clients Ci, • • • , C n and a Server S. A client Ci will be initialized 
with a random password 7Tj G T>, which is shared with his server S. Server S, besides owning all 
clients' passwords, additionally has a high entropic public key and a private key 6. is also 
available to all clients. An adversary can fully control the network. He can inject, modify, block 
messages. He can also request any session key. Formally, his behaviors are modeled as access to the 
following oracles. 

Execute^, £i, S,£s)- When this oracle is called, a protocol execution between 77^ ! and II g S takes 
place. Finally, a complete message transcript is returned. This oracle call models an eavesdropping 
attack. Note, literately, it can be replaced by a sequence of Send queries blow. But it is defined 
separately by requiring that Execute queries should not increase adversary success probability. 
Send(d, U, £u, M). Upon this query, M is sent to TI^ 7 as Flowa- The output is whatever II^j 
returns. By default, when d = 0, M = null. This query models active attacks. 
Reveal([7, £u). When this oracle is called, session key sk^f (if any) is returned, it models a session 
key loss attack. 
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Corrupt (i). Upon this query, Cj's password 7Tj as well as his session states {stat^}^ is given to 
adversary. After this, his role will be taken by adversary. This query models a break-in attack or 
insider attack. We assume S is never corrupted (although a weak corruption of S will be considered 
when defining persistency in the next subsection). 

Test(J7, £u). This query is a security test for session key sky 7 . The adversary is allowed to query 
it only once. The queried session must have successfully completed. Throughout the game, U and 
pid^ 7 should not be corrupted; and its partnered instance (if any) should not be issued a 
Reveal query. When Test oracle is called, it flips a fair coin b. If b = 1, then sk^f is provided to 
adversary; otherwise, a random number of the same length is provided. The adversary then tries 
to output a guess bit b'. If b' = b, he will be informed Success; otherwise, Fail. 

We now define the protocol security, which considers three properties: correctness, authentica- 
tion and secrecy. 

Correctness. If two partnered instances accept, they derive the same session key except for 
negligible probability. 

Authentication. If some ILy , with U and pid[^ uncorrupted, has successfully completed while 
it does not have a unique partnered instance, then we say authentication is broken, denoted by 
event Non-Auth. Note that since the password dictionary D is small, one can always break the 
authentication by guessing a client's password and impersonating him to S (through Send queries). 
Hence, if an adversary makes at most Q Send queries, we can only hope that Pr[Non-Auth] = 
Q/\V\ +negl{n). However, this requirement is not enough. Boyarsky [6] discussed an authentication 
problem against [15] which does not violate this requirement. Intuitively, in his attack, an adversary 
first obtains a transcript tr between Cj and S; then he corrupts Cj and obtains 7Tj ; next he, in the 
name of Cj, communicates with S under the help of tr. The last stage is launched many times and 
finally it can obtain 7Tj and hence can impersonate Cj successfully. The significance of this attack 
is that a malicious Cj can break another user's password just through repeated attempts to login 
his own account. In this case, the rule that N consecutive failures of login results in his account 
closure can be easily defeated during his attack, by N — 1 malicious login attempts followed by 
one correct login. We remark that this attack does not occur in a password-only key exchange 
essentially because the server only has a password and hence when Cj attempts to key exchange 
with S in his own name, the server's answer can be computed by himself. That is, an interaction 
with S in his own name is useless. To address the above attack, we consider the authentication 
between Client Ci and Server S for each i individually. Define Non-Authj to be the event Non- 
Auth such that the client in this event is Cj. Obviously, Non-Authj, i = 1, • • • ,n are mutually 
disjoint and Vf =1 Non-Authj=Non-Auth. Our authentication property is to require that for each 
i, Pr[Non-Authj] < Qi/\D\ + negl(K), where Qi is the number of Send((i, U,£jj, •) queries such 
that Client(77^ t/ ) = i. Under our definition, interactions between Cj and S are not counted into Qi 
and hence can not increase the probability to break 7Tj. 

Secrecy. An adversary can succeed in a Test session. Denote this event by Succ. Since Non- 
Auth already implies a break of the protocol, we only consider Succ under -iNon-Auth. As an 
adversary has a naive success of probability 1/2, we require Pr[Succ(„4,)|-iNon-Auth] < 1/2 + 
negl(K). 

Note it is crucial to properly define session id sid (hence partnership) so that we do not classify 
secure protocols as insecure. For instance (see [2Q]), if we define a complete protocol transcript as 
a session id, then any protocol is insecure since as long as we hold the last message, Non-Auth 
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occurs. More subtleties of denning sid and partnership can be seen in [8]. Now we are ready to state 
the security definition. 

Definition 1. Let Qi be jj of Send(d, U, £u, •) queries such that i = Client(i7^ r c '). Then, an asym- 
metric password key exchange protocol is secure if 

• Correctness. 

• Authentication. Pr[Non-Authj] < & + negl(n),\/i. 

• Secrecy. Pr[Succ(„4) | -iNon-Auth] < 1/2 + negl(n). 

Note if Q is {t of Send queries, then Q = X^=i Qi- Hence, authentication in Definition [1] implies 
that Pr[Non-Auth] < jL+neglfo). This futher indicates that Pr[Succ(y4)] < 1/2 + ^ + negl(n), 
which is the security definition [3] for the password-only key exchange. 

2.1 Persistency against Server Key Leakage 

We now formalize the security when the server high entropic key gets compromised. This threat 
is possible due to cryptanalysis, virus attack or a poor management. In this case, we can not 
hope the protocol is secure against an off-line dictionary attack as otherwise the protocol is in 
fact a secure password-only protocol (by making the server secret public). We thus consider a 
weaker guarantee: the adversary should not be able to quickly break lots of passwords. Under this 
assertion, the manager will have enough time to realize and defend the attack. We remark that 
previous protocols |15|16|6j do not prevent this threat since they essentially encrypt a password 
using the servery pub key. 

It is desired that if an attacker intends to break £ passwords, he has to do so using an dictionary 
attack individually on each password and in average costs £\T>\/2 dictionary guesses. Quantitatively, 
if any adversary runs T < a£\T>\ steps, then he can break £ passwords with probability at most 
exp(— /3£) + negl(K) for some /3 > 0, where one step is essentially the cost of one dictionary guess 
and will be defined when the protocol description is available. Also note that since i does not 
necessarily depend on the security parameter k, we can not simply require the above adversarial 
success probability be negl{n). We notice that it is hard to tell whether an adversary has broken 
a password 7Tj or not. Hence, we can not directly use this definition. However, if this occurs, it 
should be easy for him to successfully impersonate client i, in which case Non-Authj occurs. Hence, 
we instead define the adversary success as the occurrence of Non-Authj for at least £ different i. 
Finally, we define the adversary capability. Since persistency only considers a attack that occurs 
under a very rare circumstance and continues in a short time, oracle queries other than Send are 
immaterial. We thus formally define the persistency as follows. 

Definition 2. £ G N and a < 1/2. a is an asymmetric password-based key exchange protocol, 
where T> is the password dictionary and (O, 9) is the server's public key and private key pair. Then 
S is persistent if for any PPT adversary A that runs T < £a\T>\ steps with access to Send oracles, 
Non-Authj occurs to £ different i with probability at most exp(—/3£) + negl(n) for some (3 > 0, 
where a basic step is specified in a concrete protocol. 

3 Tag-Based Hash Proof System 

In this section, we introduce a tag-based hash proof system, revised from the original hash proof 
system [9] (in fact the brief introduction in [11 J suffices) by adding a tag. Special forms of hash 
proof system are used by |24|23|22|ll|12j to construct password-only key exchange protocols. 



5 



3.1 Subset Membership Problem 

A hard subset membership problem essentially is a problem that one can efficiently sample a hard 
instance in it. Formally, a subset membership problem X is a collection {I n } n ^, where X n is a 
distribution for a random variable A n that can be sampled in polynomial time: 

• Generate a finite non- empty set X n ,L n C {0, l}P°M n ) s.t. L„ C Z„, and distribution D(L n ) 
over L n and distribution D(X n \L n ) over X n \L n . 

• Generate a witness set W n C {0, l}P°^( n ) and a NP-relation i? n C X n x W n such that x G L n if 
and only if there exists ui G W n s.t. (x, iu) G R n . x ^— D(L n ) can be sampled in polynomial time 
and the sampling procedure also outputs a witness w G W n s.t. (x, it;) G W n . We use x D(L n ) 
to denote this procedure. When w is not a concern, we omit it. Further, x <— D(X n \L n ) can be 
also sampled in polynomial time. 

Finally denote A n = (X n , L n , W n , R n , D(L n ), D(X n \L n )). 1 = {X n } n£ N is called a hard subset 
membership problem if for (X n , L n ,W n , R n , D(L n ), D(X n \L n )) <— I n , x and y are indistin- 
guishable when y <— D(X n \L n ),x <— D(L n ). 

3.2 Tag-based Projective Hash Function 

Let A = (X,L,W,R,D(L),D(X\L)) be sampled from a hard subset membership problem I n . 
Consider a tuple \P = (H, JC, X, L, G, S, a), where G,S,K. are finite but non-empty sets, H = 
{-Hfc(-, ■) | k G fC} is a set of functions from X x {0, 1}* to G and a : fC — > S is a deterministic 
function. K, is called a /cey space, k G /C is called the projection key; S is called the projection space 
for a. ^ is called a tag-based projective hash function (tag-PHF) for A if for any x G L and tag 
z G {0,1}*, Hk(z,x) is uniquely determined by a(A;),£, x. It is called an efficient tag-PHF if a(k) 
and Hk(z,x) are both polynomially computable from (k,x,z) and if Hk{z,x) also is polynomially 
computable from x,w,a(k),z where (x, w) G -R. In this paper, by tag-PHF, we mean an efficient 
tag-PHF. 

The following notion of computational universale is slightly revised from [T7], which in turn 
is extended from the notion of universal^ by relaxing the statistical indistinguishability to the 
computational indistinguishability. 

Definition 3. A = (X, L, W, R, D(L),D(X\L)) <- X n , where {!„} n is a hard subset membership 
problem. 'F = (T-L,IC,X,L,G,S,a) is a tag-based projective hash function for A. 'F is computa- 
tional universal if any PPT A only has a negligible advantage in the following game. Take k <— K, 
and provide (F, a(k)) to A. A can do the following. 

- A can adaptively query (z,x) G {0,1}* x X to an Evalu oracle, where oracle Evalu is defined 
as follows. It checks if x G L (maybe in exponential time). If yes, return Hk{z,x); otherwise JL 

- A can ask once to compute some (z\,x\) G {0,1}* x X\L. In turn, he will receive Hk(zi,xi). 

- A can ask once to test some (z2,X2) G {0,1}* x X\L for (z2,X2) ^ (z\,X\). In turn, he will 
receive K^, where b <— {0, 1},Kq = Il^fa, X2) and K\ <— G. 

Finally, A outputs bit b' for guessing b and succeeds if b' = b. 
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3.3 A Useful Lemma 



{Z K } K is a hard subset membership problem. Take A = (X, L,W,R,D(L), D(X\L)) <— I K . Define 
a tag-based PHF &={H,1C,X, L, G, S, a) for A, where G = {0, 1} 2k . Take k <- K as a private key, 
pk = (a(k), desc(ty)) as a public key where desc{&) is the description of \P. Let MAC : {0, 1}* — > 
{0, 1} K be a message authentication code with key space {0, Consider the following game 
between a PPT adversary A and a challenger, where A receives pk and challenger keeps k. Let 
= {} and {0,1}. 

• Challenge Query. „4 can adaptively query with any tag z. Upon this, challenger takes 
x f - I, lets (ao,so) = Hk(z,x), (ai,s\) <— {0, 1} 2k , returns (x,a c ,s c ) and updates = 6> U 
{(z,x,a c ,s c )}. 

• Compute Query. A can adaptively query with (z, x, a, m). If (z, x, a' , s') G 6* for some a', s', 
let a = a',s = s'; otherwise, let (a, s) = Hk(z,x). If <r = MAC a (m), return (a, s); otherwise _L. 

At the end of the game, „4 outputs a guess bit d for c. He succeeds if d = c. 

Denote this game by 3?. The lemma below states that A only has a negligible advantage (see 
Appendix A for proof). 

Lemma 1. {I K } K is a hard subset membership problem, \P is computational universal and MAC 
is existentially unforgeable. Then Pr[Succ(„4)] = 1/2 + negl(n). 

4 Red Ball Experiment 

We consider an experiment: there are n boxes, where each box contains a identical balls except for 
a color difference, where one of them is colored red while the remaining a — 1 balls are colored white. 
Algorithm A adaptively draws t balls from these boxes. Each time it chooses a box and then draws a 
ball uniformly randomly from it without replacement. Let I 6 {1, ■ ■ ■ , n}. We use Of n ^(ai, • • • , a n ) 
to denote the success probability that algorithm A draws t balls (from these boxes) such that I of 
them are red, where box i initially contains a« balls including one red. When the red ball in the 
box is taken, set aj=0 since A knows all are white in this box and does not need to draw any ball 
from it any more. Let 0t,n,e(di, - ■ ■ ,a n ) = max_4 g(ai, ■ ■ ■ , a n ). It is easy to see that for any 
permutation (a[, ■ ■ ■ , a' n ) of (ai, ■ ■ ■ , a n ), & t , n ,e(ai, ■■■ ,a n ) = O t ,nA a 'i> " " " > a 'n) holds. We prove the 
following important lemma, where the proof is by induction. Due to the page limit, the details are 
in Appendix B. 

Lemma 2. If 1 < a± < Q2 < ■ ■ ■ < a n , < I < n, t > 0, then 




(1) 



i=i 



Theorem 1. If t < a£a and a < 0.5, then 



@t,n,e( a ' •••>«)< exp(-2(0.5 - a) 2 i). 
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x = T(in,y), C<-{0,1} K 

x <- D(L), y = T(ir i} x) c t \ y \ r (*o, K) = H g (i, x) using 9 

(ko, fci) = Bt{i,x) using u, ro T MA( - fe/ (Cj|5|y) 



r = MAC ko (Ci\S\y) 

w = Ci|%|C,n = MAC fco (w|l) ^ s I ^ I C 

r 2 = MAC fco (oj|2), output sk = ki 



uj = a\S\y\(, n = MAC fe /(w|l) 



r 2 = MAC fe / (w|2), output sfc = fcj 



Fig. 1. Password Key Exchange Framework HPS-PAKE (details in the bodytext) 



Proof. By Lemma [21 t>n ^{a, ■ ■ ■ , a) equals 

Pr[xi H h xi < t] 

= Pr[%^-§ <-(§-$)] 

< exp(-2<5 2 ^/a 2 ), 5 = f-| > (0.5 - a)a 

< exp(-2(0.5 -a) 2 f), 

where inequality (*) holds since E[xj] = | and the Hoefding inequality. ■ 
5 Our PAKE Framework 

We now introduce our client-server password key exchange framework. Let I = {I K } K be a hard 
subset membership problem and A = (X, L, W, R, D(L),D(X\L)) <- X K . V = (H,JC, X, L, G, S, a) 
is a tag-based projective hash family for A, where G = {0, 1} 2k . T> = {1, • • • , N} is the set of all 
possible passwords with uniform distribution. We say T, T* : DxX — > X are a regular transformation 
pair if they are efficiently computable and also satisfy the following. 

R-l. For any fixed ir G D, T*(tt,T(tt,x)) = x, Vx G X. i.e., T*(-7T, •) is the inverse function of 
T(W). 

R-2. For any y G X, there is at most one tt G 2? such that T*(7r, y) G L. 

MAC,t : {0, 1}* — > {0, 1} K is a secure message authentication code. The setup is as follows. For 
the server S, take 6 K, and compute = a(9). 9 will be the private key for S and will be 
his public key. is known to all clients. For each client Ci, take 7Tj X> as the password for Cj, 
shared with S. Ci stores publicly and 7Tj secretly. S stores m, # secretly and publicly. The key 
exchange protocol between S and Ci is carried out as follows (also see Fig. [1]), where we assume 
that y G X has been verified but in Section [8] we will remove this condition with almost zero price 
for a concrete and efficient realization of our framework. 

1. Ci takes x <— D(L). Then he uses 7Tj to compute y = T(7Tj,x), computes (ko,ki) = Hg(i,x) 
using w,x,0, and generates ro = MACk (Ci\S\y). Finally, he sends Ci\y\rQ to server 5. Cj sets 
his session state stat = Cj|5 , |y|/co|^i- 
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2. Receiving Ci\y\ro, server S uses 7Tj to de-transform y back to x = T*(-7Tj, y), computes (k' , k[) = 

Hg(i,x) using (6,x). He then verifies if to = M/KC k ' o (Ci\S\y). If no, reject; otherwise, he takes 
C <— {0, 1} K and computes ri = MAC^/ (w|l) for w = CjjS'lylC- Finally, he sends 5" | T"i | C to Q. S 
sets his session state stat = Cj|S'|y|C|£; |£; 1 . 

3. Upon 5|ri|C, Ci verifies if t\ = MAQ. (w|l) for uj = Ci\S\y\C,. If no, reject; otherwise, he 
computes and sends T2 = MACfc (a;|2) to S and outputs session key sk = k\. Ci updates 
stat = Ci\S\sk. 

? 

4. Upon T2, Server S verifies if T2 = MAC^y (w|2). If no, reject; otherwise, output session key 
sk = k[. S updates stat = Ci\S\sk. 

Remark. We outline how some attacks are prevented in order to better understand our protocol. 
(1) against impersonation attack. If attacker impersonates Ci to generate and send Flow\ = 
Cj|y| r o to S, then since he does not know 7r.; and hence T*(7Tj,y) € L with probability 
When x := T*(7Tj,y) L, tq will be rejected since (ko,ki) = Hg(i,x) appears random to the 
attacker. (2) against insider attack (as in [6]). When a malicious Cj eavesdrops a transcript 
tr = Cj|y|ro|5|ri|C|T"2 between Ci and S, then he executes the protocol with S in the name of 
himself but using tr as a help. Toward this, he might send Flow\ = Cj\y\rQ to S and hope to receive 
a response from the latter. Tq is acceptable only if Tq = MACjt* (Cj\S\y), where (fcg, /c*) := Hg(j, x*) 
for x* = T*(iTj,y). The only useful information is To which is computed using (ko, k±) := Hg(i, x) for 
x = T*(iTi,y). However, no matter iij = Hi or not, we have that (i, x*) ^ (j, x) as i ^ j (this is the 
main reason we use tag-HPS instead of HPS in this paper). This allows us to claim that 
fcp and ko are computationally independent. If x £ L, this is automatically true by computational 
universal definition. In our protocol, even if x <— D(L), this computational independency still 
holds; otherwise, one can simply reduce to break the hardness of L. Thus, S will always reject Tq. 
Since this rejection occurs without considering the value of tt{, it follows that the candidate space 
of 7r in view of adversary does not reduce. (3) session key secrecy. The session key sk = k\ is 
computed by (fcoj &i) = Hg(i, x). Client Ci can compute this since he knows the witness w of x £ L 
and server S can compute this since he knows 7Tj (for recovering x from y) and 9 for (ko, k\). Any 
outsider can not compute (ko,k\) since given x and 0, Hg(i,x) is indistinguishable from random, 
which is implied by Lemma [TJ 

6 Security 

In this section, we prove the security of our protocol. Before this, we define the session id in the 
protocol as sid^ 7 = Cj|S'|y|C, where U is the client i or server S. Since the password 7Tj for Ci and 
S and 9 are both fixed after the system initiation, Hg(i,x) is determined for given Ci\S\y. Hence, 
two partnered parties must have the same session key. It remains to consider the authentication 
and secrecy, which we will prove using a game-hopping approach. 

Theorem 2. X = {I K } K is a hard subset membership problem. MAC : {0, 1}* —> {0, 1} K is an 
existentially unforgeable message authentication code. & is computational universal fori. (T, T*) 
is a regular transformation pair. Then HPS-PAKE is secure. 

Proof. We modify the security game (denoted by r rea ) into games i~b(= r rea ), such that 

any adversary view (hence event Non-Auth^ or Succ as they are in the adversary view) between 
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each neighboring pair are negligibly close. For simplicity, we regard Execute query as a result of 4 
Send queries (i.e., Send(ci, ■), d = 0, 1, 2, 3) and later will remove its effect on Non-Authj and Succ 
by analyzing these special Send queries. For simplicity, we assume the Normal condition: sampling 
x D(L) never repeats the same x (otherwise, we can break the hardness of X: given challenge 
x, sample y D{L). Then x = y for x D(L) holds non-negligibly while x ^ y always holds for 
x <- D(X\L)). 

Game T\. We modify i~b to i"i with the following differences. Send(0,i, li,null) oracle defines 
(ko,k\) <— {0, 1} 2k (instead of (ko,k\) = Hg(i,x)). A maintains a list Q of record (i, y, ko, k\). For 
consistency, Send(l, S, is, Ci\y\ro) is handled as follows. First check if (i,y, Uq,ui) £ Q for some 
(uo,u%). If no, process normally using 6; otherwise, define (k ,k'i) = (uo,ui) and proceed normally. 

Lemma 3. View(^4, A) « View(„4, A)- 

Proof. If the views of A are distinguished by P, we construct adversary B to violate Lemma [TJ 
Upon desc(\P), = a(6), B simulates i~b as follows. Let Q = {}. 

Send(0, i,£i,null). Upon this query, B issues a Challenge query with tag i and in turn receives 
(x,a c ,s c ). He defines (ko,k\) = (a c ,s c ) and normally finishes the simulation in this query. Finally, 
he define state^ 1 = Cj|S|2/|A;o|fci and update Q = Qu{(i, y, ko, k\)}. Note in this case, the challenger 
of B will update his list Q = Q U {(«, x, ko, ki)}. 

Send(l, S, is, Ci\y\ro). Upon this query, compute x = T*(7Tj, y). Then, he issues Compute query 
(i, x, To, Ci\S\y). In turn, he will receive (a,s). If (a,s) =_L, he rejects; otherwise, define (k ,k[) = 
(a, s) and finishes the remaining simulation in this query normally. In the later case, also update 
sta4 s = Ci|%|C|A&|fc£. Note if x was generated in Send(0, i, •), then (i, x, a c ,s c ) E i7. In this 
case, the simulation is consistent with r c : if tq = MAC ac (Ci|5|y), then Compute oracle returns 
(a, s) = (a c , s c ); otherwise, it returns (a, s) =_L (and B will correctly reject To). If x is not generated 
in Send(0, i, ■) (note it could be generated by Client i' / i), then (i, x, f2 and hence tq will be 

verified by the challenger of B using (ko, k\) = Hg(i, x) computed using 6. In this case, (a, s) =_L if 
To is invalid; (a, s) = (ko, k\) otherwise. Hence, in any case, the simulation in this query is perfectly 
consistent with r c . 

Send(2, i, £j, 5|C|ti) Upon this case, use stat^ to simulate normally. Finally, if t\ is accepted, 
update stat- 1 =Ci\S\k x . 

Send(3, S, is, T 2) Upon this case, use state? to simulate normally. Finally, if ti is accepted, update 
sta4 s = Ci\S\k[. 

R,eveal(J7, lu) and Test(f7, Ijj). This occurs only when TI^j is successfully completed. In this 
case, sk^j is well defined in stat^ 1 above. Hence, the simulation is normal. 

Corrupt (i) As seen above, stat^ is well defined and 7Tj is known. Hence, the simulation is normal. 

From the description of B, we can see that when challenge bit c = 0, the simulated game by B 
is i~b; otherwise, it is r±. Hence, the distinguishability between i~o and A leads to violate Lemma 
CD □ 

Game i~2- We modify 7\ to i~2 as follows. In oracle Send(0, i, i{, null), take x <— X (instead of 
x <— L) . Note since w is not used in the simulation of -Ti , no further change is required toward the 
consistency with this modification. By simply reducing to hardness of L, we have 

Lemma 4. View(^4, A) w View(^, T 2 ). 
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We analyze i~2- Recall that, in Send(l, S, is, Ci\y\To), when (i,y, *,*) Q, we define (k^k^) = 
Hg(i, x) and verify To with k' Q . Consider a Bad event in this query: (i, y, *,*)$. Q and T*(7Tj, y) L 
but ro is valid. We show 

Lemma 5. Pr[Bad(7~2)] = negl{n). 

Proof. Assume the lemma is not true. Let an irregular query be a Send(l, S, is, Cj|y|ro) query 
where (i,y,*,*) Q and T*(7Tj,y) L. Let (J of irregular queries be bounded by v. Use Badj to 
represent the event: the ith irregular query is the first Bad event. Note when Bad occurs, there 
exists a unique Badj event. 

We now construct an adversary A' to break the computational universal property of \P. Upon 
desc(\P) , , A' takes t 4— {1, ■ ■ ■ , u} and initializes 7Tj for each Cj and simulates 7~2, except when he 
needs to use 9, which is one of the following scenarios (especially note (ko, k\) in Send(0, •) is taken 
randomly in {0, 1} 2k without using 6). (1) S is corrupted and 9 should be given to A. This will 
not occur since we assume S is uncorrupted; (2) in Send(l, S,is, Ci\y\ro), A' will use 6 to compute 
(£iQ,Aq) in case of (i, y, *,*) ^ Q. In this case, A' can compute x = T*(iTi,y) and query his Evalu 
oracle to compute Hg(i,x). When x € L, he will receive Ho(i,x); when x L, he will receive _L . 
For the former case, he proceeds normally; for the latter case, it is an irregular query. If this is 
the jth. irregular query for j < t, then he rejects ro; if it is the tth irregular query, he issues (i,x) 
as a challenge query, in turn he will receive (a c , s c ) for challenge bit c. If To = MAC ac (Cj|S'|y), he 
outputs 0; otherwise 1. First of all, when c = 1, a c is independent of the adversary view prior to 
the current query, by unforgeability of MAC, To = MAC ai (Ci\S\y) holds negligibly only. We ignore 
this tiny probability. When c = and t is correct, the adversary view till the current query is 
identical to his view in i~2- In this case, validity of To is a Badj event, in which A' must output 0. 
Since Badt event implies that To is valid and that upon such an event the simulation by A' prior 
to the tth irregular query is identical to i~2- (Even without considering the output of A' in the 
case c = with an incorrect t), we always have that | p r [,4'Evaiu(o,0 = o] - p r [^'Evaiu(i, ) = o]| > 

Pr[Badf (i~2)] — negl{n) > Pr ^ Ba ^ r2 ^ — negl(n), non-negligible, contradiction! Here we use the fact 
that when t is random and thus Pr[Bad t (r 2 )] = Pr[Bad(r 2 )]/V. □ 

For simplicity, we now assume that Bad event never occurs. 

l* I* 
Lemma 6. If initiator accepts Flou>2 = S\C*\t^, it must have a unique partner II S S . 

Proof. Recall that sid^ = Ci|iS l |y*|C*- Since S will not sample the same twice, except for a 

£* 

negligible probability (which we ignore), it follows that the number of partnered instance 77 $ s for 
11^ is at most one. It suffices to prove the existence of such II g . If it does not exist, we show MAC 
is forgeable. Assume stat^ 1 after sending Flow\ is Ci\S\y*\kQ\k\. Then, reviewing the definitions 
of oracles in 7~2, besides computing MACfc ( *Q function, k^ (and its identical copy k^ ) will be used 

£* 

only in the following scenarios before verifies Flow^- k^ is revealed due to the corruption of 
Ci (note S is uncorrupted), which is impossible since a corrupted party is controlled by A and so 
Send(2, i, £*, Flow?) query would not have occurred). Hence, prior to verifying FI0W2 by 77^ , 7~2 
uses &!q only for evaluating MACfc*(). To reduce to the unforgeability of MAC, it suffices to show 

that prior to verifying FI0W2 in 77 > , the simulator never evaluates and outputs MAQ. ( *() with 
input Cj|5|y*|C*|l. Otherwise, since tq,ti,T2 have different input formats, this evaluation must be 
done by S in Send(l, S, is, ■) for some Is, which already implies that 77f s is partnered with Cj, 
contradiction to our assumption. Thus, validity of t{ implies breaking MAC. □ 
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Lemma 7. Assume that pid 5 s (:= Cj) is uncorrupted. If (i,y* , •, •) S Q in Send(l, S, £* s , Cj|y*|Tg) 

£* £* 

oracle and r| is accepted in Send(3, S 1 , ^J,r|), i/ien 77g. s /ias a unique partnered FI^ for some £*. 

i* 

Proof, jj of such 77-* is at most one, by Normal condition on x. It suffices to prove the existence of 

FI^ . Assume this is not true. By assumption, in Send(l, S, i* s , Cj|y*|rg ), it holds that (i, y* , fcg, k\) 6 
Q for some fcg, /cjj 1 and it also holds that Tq = MAC&* (Ci\S\y*) (otherwise, Tq in Flow\ was rejected 

and it would be impossible for 77 s s to verify and accept r|). Hence, the fact that (i, y*, /cq, k^) was 

recorded in Q implies that FI^ for some £* must have sampled x = T*(-7Tj, y*). By Normal condition, 

l* l* £* £* 

FI^ is the only instance that samples this value. Since 77^ is not partnered with II s s , 17^ does not 

compute MACfc*() with input Cj|S|y*|C*|2, where is generated by II s s . As in the previous lemma, 
k,Q is only used in evaluating MAC/^Q. To prove the lemma, it suffices to show that the simulator 
never evaluates and outputs MACfc*() with input Cj|5|y*|C*|2. Otherwise, it must be done by an 
instance 77^* in Cj in generating Flows (recall inputs for to,t\,T2 have different formats). Hence, 
since Ci\S\y* implies samples x = T*(ni,y*). It follows that £i = £*, contradicting that FI^ 

(.* £- t* 

is not partnered with 77 § . Hence, if 77^ does not exist, then TT^'s accepting implies a MAC 
forgery, contradicting MAC security! □ 

Lemma 8. Recall Succ be the success of A in the test session. Then, Pr[Succ | -iNon-Auth] = 1/2 
in r 2 . 

Proof. Let 77^ be the test instance and pid^ = V. Let sid^f = Cj\S\y*\(*. Then, {U, V} = {J, S}. 

If U = J, then V = S and (by Lemma [6]) there is the unique partnered II s s for 77 j 1 . If U = S, 

i* i* i* 

then V = J. In this case, if it does not exist a partnered 77 f in Cj for 77 g 5 , then II s s s accepting 

t% implies Non-Authj event. Hence, under -iNon-Auth event, there is a partnered 77j J for II s s and 

by Normal condition it is unique. So in any case, conditional on -iNon-Auth, there is a uniquely 

i* i* 

partnered Fly for Fly ■ Let (fcg,/^) be the uniformly random keys defined to replace Hg(J,x*) 

where x* = T*(nj, y*). Let b G {0, 1}, a\ £ {0, 1} K be the random number in Test oracle. We notice 

i* i* 
that in 7~2, sky = k\ is taken uniformly random from {0, 1} K . Let ao = sky . Let the randomness 

in the whole game for 7~2, except k*, b, ati, be denoted by r. Use Viewi(^4) to denote the adversary 

view after the tth query. Then to prove the lemma, it suffices to show that View((^4) for each t is 

deterministic in r,ctb. We actually also show that {stat^}^.)^^*)^^*) is also deterministic in 

r, on,. Initially, Viewo(^l) is public parameters and the conclusion trivially holds. Assume it is true 

for t — 1 queries. Consider query t. 

Send(0, i, £i,null). The randomness in sampling x and the randomness for ko is from r. Hence, Ci\y\ro 
is deterministic in View t _x(.A) and the randomness r. stat^ = Cj|S , |y|/co|^i- When (i,£i) / (J,£*j), 
k\ is determined by r. Hence, the conclusion holds after this query. 

Send(l, 5, £5, Cj|y|ro). Oracle first checks if (i,y,*,*) G Q. If yes, extract ko from it and proceed 
normally (using randomness in r if needed). If no, compute (k'Q,k[) = Hg(i,x) for x = T*(7Tj,y) 
and proceed normally. Notice the component (i,y,ko) in a record from Q is computed using the 
randomness r; ( is generated using r too. 9 is based on the randomness in the initialization of 
7~2 and hence based on r too. So adversary view in this query is deterministic in V\e\Nt-i(A) and 
r. If it outputs FI0W2, then stat 5 s is updated as Ci\S\y\k \ki. By the uniqueness of £* s , when 
(S,£s) 7^ (S,£* s ), k\ is computing with r. Hence, the conclusion holds after this query. 
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Send(2, •) and Send(3, •) is deterministic in the view of A before the query and its session state. By 
the induction, the conclusion holds after this query. 

Reveal(i,^j). This query is sk^ . By the restriction on Test definition, 11^ ^ Ilg ,nf and hence 
by induction, its internal state is deterministic in View(_i(^4) and r, a&. Since sk^ is in his internal 
state, the conclusion holds after this query. 

Corrupt (i). Upon this query 7Tj as well as {stat^}^. will be available to A. Since % / J, S by Test 
restriction, by induction, the conclusion holds after this query. 

Test(«,£*). Reply in this query is a^. The conclusion holds trivially after this query. 

As a summary, after any query, our conclusion holds. Hence, adversary view is independent of 
b. □ 

Lemma 9. Pr[Non-Authi(y4, F 2 )\ < + negl{n). 

Proof. To prove the lemma, we show how to simulate i~2 when the randomness for is unfixed 
while the remaining randomness in the game is fixed. Let T>i be the probability space for 7Tj after 
each oracle query. We will simulate i~2 such that after each query, the adversary view is identical for 
each (tti, • • • , 7r n ) G T>\ x D 2 x • • • x V n . Hence, given the adversary view, (ni, • • • , n n ) is uniformly 
distributed over T>\ x • ■ • x V n . 

Initially, the adversary is given (desc(A), a(9)) which is independent of wi, • • • , 7r„. Hence, T>\ = 
■ ■ ■ = D n = D. Assume this simulation is done for query t — 1. Consider query t, which is one of 
the following. 

Send(0, i, £i, null). Oracle takes y <— X, (ko,ki) <— {0, 1} 2k and computes tq = MACfc (Cj|5'|y). 
Finally, update Q = Q U {(£, y, ko, ki)}. The adversary view in this query is Ci\y\ro. For any 
{iTj} r j =1 G Ilj=i ^ ne adversary view in the current query is identical. By induction assumption, 
after this query, if T>j,t = 1, • • • ,n remains unchanged, the conclusion holds, stat^ = Cj|5|y|/co|fei- 

Send(l, 5, £5, Cj|y|ro). Upon this, if (i,y,ko,ki) G Q, then (regardless of the concrete value for 
7Tj), the oracle will take (ko, ki) from it and finish the remaining simulation in this query normally 
and all {T>t\ remain unchanged. If (i,y,ko,ki) Q, oracle will uses 6 and 7Tj to verify tq and 
announce the success of A if valid and reject otherwise. The analysis for this case is as follows. 

1. To is valid for the case T*(-7Ti,y) G L. This case occurs only for at most one 7Tj (denoted by 
7Tj(y)) by Regularity Property R-2 of (T, T*). 

2. To is valid for the case T*(7Tj, y) L. This event is a Bad event in i~2 (negligible, see Lemma 
[5]). Since we already assume this event never occurs after Lemma El this case does not exist. 

As a summery, item 1 occurs (hence 7Tj = vrj(y)) with probability at most l/\T>i\ by induction 
assumption (since, given Viewt-i(^4), vector {vrj}j is uniform in Y\j Dj and especially 7Tj is uniform 
in T>i)\ when item 1 does not occur, then the adversary view in this query is identical (i.e., reject) 
for any password setup: take 7Tj G V,\{i:i(y)} and take iTj G Vj for all j / i. Hence, in this case, 
Vj for j ^ i remain unchanged, T>{ = Dj\{7Tj(y)} and stat^ s = Cj|S'|y|A;o|A;i is well defined. 

Reveal, Test, Send(2, • • •), Send(3, • • •) are all processed only with a session state from Send(0, •) oracle 
or Send(l, •) oracle, which is well defined as seen above. Hence, the simulation is perfect. 

Corrupt(i). In this case, 7Tj is revealed and hence T>i is updated to a set of a single value. Notice 
that {stat^ 1 }^ are consistent with all {TTj}j G Yij^j by induction. Thus, if we keep Vj unchanged 
for j 7^ i, then the conclusion still holds. 
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Now we consider Non-Authj event. It occurs at either some or n l s s with pidff = a. 
By Lemma [6l it is impossible to the former. For the latter, by Lemma \7\ it must hold that 
(i, y, *, *) Q in Send(l, 5, is, Cj|y|ro) query and hence item 1 (i.e., tti = 7Tj(y)) must occur 
(since item 2 is negligible and ignored). It remains to calculate the probability 7Tj = 7Tj(y) through- 
out the game. As analyzed above, it has a probability l/\T>i\, conditional on that previous queries 
with Flowi = Ci\* do not have such an event. Hence, as a summery, 7Tj = 7Tj(y) occurs in the 
^th such a Send(l, S 1 , •, Cj| • |-) query with probability 1^1 • p -1 ' ' ' |x>|-i-i = ^ e c l a i m 
that there are at most Qi Send(l, S, ■, Ci\y\-) queries for fixed C{ such that (i,y, *, *) Q with 
Client(i7^ s ) = Cj. Indeed, although at the beginning of theorem proof, we decompose Execute 
into 4 Send(d, •) queries, this treatment does not invalidate the above statement: in the special 
Send(l, S,£s,Ci\y\ro) query (decomposed from query Execute(i, ii, S, is)), (i,y,*,*) £ Q was 
recorded by LT^ in Send(0,i, £i, null) (decomposed from the same Execute query). So Non-Authj 
does not occur to such a special Send query. Thus, Pr [Non-Authj (.4, I2)] < □ 

We come back to the proof of theorem. Note that Non-Authj and Succ both are in the view 
of adversary. Hence, each of them are negligibly close between games 7o>-^i)-f2- By Lemmas [8] and 
[U we conclude the theorem proof. ■ 

7 Persistency 

In this section, we show that our protocol is persistent against the leakage of server key 9. In our 
analysis, we model MAC as a random oracle, which is reasonable (say, if we use HMAC). We first 
introduce the following notion. 

Definition 4. H e : {0, 1}* x X — > {0, 1} 2k is a tag-PHF and F : V x X — >■ X is a deterministic 
function. Hg is locally 1-unique w.r.t. F if for any PPT adversary A, the probability that the 
first k bits of Hg(z, F(iri,y)) and Hq(z, F(w2,y)) equal, is negligible, where 7Ti,7T2 are distinct and 
respectively goes overV and (z,y) A(O,0,iti,tt2)- 

The persistency requires that if the attacker runs T < a£\T>\ basic steps for a < 1/2, then 
the probability for him to break the authentication w.r.t. t clients, is small. An authentication 
break occurs w.r.t. Cj means that either t\ is accepted at Send(2, i, £j, FI0W2) while server S never 
computes it, or T2 is accepted at Send (3, S, is, T2) while Ci never computes it. This intuitively 
requires the knowledge of 7Tj to compute fco (hence T\, T2, T3). In our proof, we maintain and update 
the candidate space T>i for 7Tj after each oracle query. We show that each query will either identify 
7Tj with probability \j\T>i\ for a particular i, or remove one candidate of 7Tj from T>i. But in any 
case, other Dj is not affected. Thus, an oracle query is similar to red ball experiment in Section 4: 
it either hits a password 7Tj (red ball) or remove one incorrect candidate (white ball) for 7Tj. From 
Theorem [H we know that if there are at most T < a£\T>\ coupons, then the probability to draw £ 
red balls in total is exponentially small. We now proceed to a formal analysis. 

Theorem 3. Let MAC : {0, 1} K x {0, 1}* — > {0, 1} K be a random oracle and Hq() is locally 1-unique 
with respect to T*. Then, HPS-PAKE is persistent, where assume one MAC evaluation is a basic 
step. 

Proof. We first modify Send(0, •) oracle such that x <— D(X\L) (instead of D(L)). Since Hg(z, x) 
can be computed using 6 (known), the revised game can be simulated without difficulty. Thus, the 
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probability to break authentication in these two games differs negligibly. Hence, we only need to 
focus on the revised game. Assuming the randomness r for the whole game except {vrj}, is fixed, we 
show how to simulate Send oracle and MAC oracle without specifying {vrj}. We denote T>i to be the 
candidate space for 7Tj, given the current adversary view. We use view t (.A) to denote the adversary 
view after t queries. Initially, A receives & , desci^) , 6 , which is independent of {vrj}. Hence, given 
viewo(.4), T>i = ■ ■ ■ = V n = V. Assume the first t — 1 queries are answered. Consider query t which 
is one of the following. 

MAC oracle. It maintains a MAC list C consisting of records (x, MAC(x)). 

Query m by Simulator. This query always has a format (udef — ko, Ci\S\y\p) where p = e (empty) 
or (\1 or £|2, where udef— ko is the random variable ko (dependent on the random variable 7Tj), 
where recall that the randomness other than {iTj} is fixed. Note that udef — ko is determined if 
T>i has a single element. By default, we assume that when \T>i\ = 1, the simulator always real- 
izes udef — ko with the determined value. Upon the MAC query, it checks if it has been queried 
before. If no, take z <— {0, 1} K and add ((udef — ko, Ci\S\y\0), z) into C. In any case, return z for 
(udef — ko, Ci\S\y\p), z) G C as the reply. Note that this query does not change {T>j}. That is, the 
simulation is consistent for any assignment {ttj} £ YljT^j- 

Query m by A. Upon query m, if m was queried before, find y such that (m, y) 6 C and return 
y. If m was not queried before, do the following. If m can be parsed into a format (u, s) where 
s = Ci\S\y\p for p = e (empty) or Q\l or Q\2, then check whether there exists some n(i,y) £ T>i 
(unique if any, by assumption on HgQ) s.t. (u, *) = Hg(i, J*(ir(i, y), y)). If 7r(i, y) exists, check 
whether 7Tj = ir(i,y) (in this case, '=' occurs with probability l/\T>i\ since any {iTj}j G YljT^j gives 
the same adversary view). If yes, T>i = {ir(i,y)} and set udef-feo in record (udef-ko, Ci\S\y'\p) of C 
by the first febits of Hg(i, T*(7r(z, y), y')); otherwise, set T>i = T>i\{7r(i,y)}. When query m was not 
recorded in C, take z ^— {0, 1} K (using random tape r) and add (m, z) into a list C. In any case, 
return z for (m, z) £ C. 

Our MAC simulation above has the property that if any {-7Tj} £ (also realizing udef — ko 

based on this assignment accordingly) before the MAC query is consistent with adversary view, 
then after the MAC query, this still holds for updated {T>i}. 

Send(Q,i,£i,null). Upon this, take y ■<— X. Assume no query (*,Ci\S\y) was previously issued to 
MAC, which is violated with probability |£|/|A| (tiny and ignored!). Query (udef — ko,Ci\S\y) to 
MAC oracle and when receiving the reply z, define To = z. Finally, send Ci\y\ro to A. 

Send(l, 5, £5, Cj|y|ro). Upon this, query (udef — ko, Ci\S\y) to MAC oracle and when receiving 
the reply z, tq is accepted if and only if To = z. If tq = z, normally generate Flow\ by querying 
(udef — ko, Ci\S\y\() to MAC oracle for computing t\. Finally send out S'jrilC- 

Send(2,i,^j, 5|y|ri|C). Upon this, verify t\ by querying (udef — ko, Cj|S|y|C|l) to MAC oracle and 
if accepted, generate and send out T2 by querying (udef — ko, Ci\S\y\(\2) to MAC oracle. 

Send(3, S, is, T2). Verify T2 by a query (udef — ko, Ci\S\y\Q\2) to MAC oracle. 

By the definition of MAC, after each query, the adversary view will be consistent with any 
{TTj}j G Yij^j- O ur simulation is perfect consistent with the real game. 

It important to know that each Send oracle only does not change Yij^j- ^ om y involves a 
MAC query from Simulator which does not change J| • T>j and the remaining code in Send oracle 
does not change it either. Now violation of authentication w.r.t. a client Cj occurs only in two cases: 
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• In Send(2, i,£i, S\y\Ti\(), where t\ is accepted while tuple (udef — ko, Ci\S\y\(\l) was not queried 
to MAC oracle by Simulator before this Send query. By treatment of MAC oracle, when \T>i\ > 2, 
no {it, Ci\S\y\(\l) for any tt G T>i is queried to MAC; otherwise, either \T>i\ = 1 (for case 7Tj = tt) or tt 
was removed from T>i (for case tti ^ it). Hence, given adversary view, MAC(udef — ko, Ci\S\y\(\l) is 
random in {0, 1} K and hence t\ will be rejected (ignore the probability 2~ K of acceptance), when 7Tj 
is set to any value in T>{. This also implies that after this query, {T>j} remains unchanged since for 
any assignment {ttj} G Ylj^j the adversary view in this query is identical: reject. When \Dj\ = 1, 
t\ is of course accepted with probability at most = 1. 

• In Send(3, S, Is, T 2) with pid^ s = Cj, Simulator has never queried (udef — ko, Ci\S\y\£\2) to 
MAC oracle but t 2 is valid. The analysis is similar to Send(2, •) above. 

Now we evaluate Pr[Succ(„4)]. From the above analysis, authentication breaks occurring w.r.t. 
I clients implies that \D%\ = 1 for these clients. On the other hand, we have shown that T>i is 
reduced only when A makes some special MAC queries (u,s) that defines ir(i,y): if n(i,y) = tti 
with probability otherwise, T>i = T>i\{Tr(i,y)}. Now we can build red ball experiment out 

of this event: 7Tj is red ball and ir(i, y) is a pick at Box i. tt(i, y) hits the red ball with probability 
l/\T>i\; otherwise, Box i eliminates one white ball tt(i, y). Defining Tr(i, y) involves at least one MAC 
computation. Hence, one pick costs at least one basic step. By Theorem[H within T < a£\D\ picks, 
i red balls are selected with probability at most by exp(— 2^(0.5 — a) 2 ). ■ 

8 Realization by Revised Cramer-Shoup Hash Proof System 

In this section, we realize HPS-PAKE framework using a tag-HPS, revised Cramer-Shoup hash proof 
system [26l9] . 

• Hard Subset Membership Problem. Sample a prime p = 2q + 1 where q is also a large 
prime. Let G be the prime group of Z* of order q. Take g\,g2 ^— G. The set X = {(gj 1 ,*^ 2 ) I 
ri, r2 S Z q }. Language L is defined as L = {(<?[, #2) I r ^ ^<?l- The witness for (51,^2) & L is r. 
D{L) and D{X\L) are uniform distributions over L and X\L, respectively. Witness set W = Z 9 . 
NP-relation R is defined as R = {(r, {u\,U2)) \ U\ = g\, 112 = g\, r £ W}. Hence, the description 
desc(I K ) = (gi,g2,p)- This is a hard subset membership problem by Decisional Diffie-Hellman 
(DDH) assumption in G. 

• Tag-based Projective Hash Function W '. Let 5 = G 2 and G = {0, 1} 2k . Let key space K = 
{(ai, 02,61,62) I ai,«2,6i,6 2 G ZJ. O = a{6) = (0i,0 2 ) = {^^,9^9^), for 9 = {ax,a 2 M,b 2 ) G 
fC. Let h\ be a collision resistent hash function from {0, 1}* to 7L q , indexed by A <— {0, 1} K . Let KDF 
is a key derivation function (e.g., the least half bits of the input) and is not used in the original 
HPS [2619]. For (u x ,u 2 ) G X and a tag z, define H e {z,{u l ,u 2 )) = KDF« 1+6lT ^ 2+b2T ), where 
r = h x (z, Ul ,u 2 ). If ( Ul ,u 2 ) = (g\,g r 2 ), then H e (z, Ul ,u 2 ) = KDF( U a l ^ T u a 2 ^ T ) 

= KDF((@i@2) r ). So \P is a projective hash function and descity) = {gi,g 2 , A,p). By Lemma [TUl 
below, IF is also computational universal- 

• Regular Transformation Pair (T,T*): For tt G V and (^1,^2) G X, define T(tt, (ui,u 2 )) = 
(u\,u 2 g 2 ) and T*(ir, (u%, u 2 )) = (ui,u 2 g 2 7T )- Evidently, regularity property R-l is satisfied. In 
addition, property R-2 is satisfied as long as no tt\,it 2 G T> s.t. tt\ = tt 2 (modp), which is evident 
when V = {1, • • ■ , N} for N < q. 

Lemma 10. If h\ is collision-resistant, then I> must be computational universal- 



is 



The proof is similar to |17l Lemma 6.3] and omitted here. 

Security. Let HPS CS -PAKE denote HPS-PAKE realized by the above tag-HPS. From Theorem El 
it is secure. 

Persistency. Now we consider the persistency of HPS CS -PAKE. By Theorem [3l we only need to 
show that Hg(z,x) is locally 1-unique, which is seen in the following lemma. 

Lemma 11. If h\ is a random oracle, dist[KDF(V), U K ] = A so that (A + 2~ K )N 2 = negl(K), 
where V,U are uniform over G, {0, 1} K respectively. Then, Hg() is locally 1-unique with respect to 

r. 

Proof. Since b<i is uniform over Z g , we ignore the probability hi = 0. Let (z* , a;*, x 2 ) be the 
output of A. For any distinct uj\,ui2 € [N], let A = Hg(z*, T*(wi, a;*, x 2 )) = x*\ x x* 2 2 g^ 1 "" 2 • 
{x^x^g^" 1 ) 71 , B = x*^x*^ 2 g^ 2a2 ■ (x** 1 x* b 2 2 g 2 b2UJ2 ) T2 , where n = h x (z*, sj, x\g 2 W1 ) and 
t~2 = h\(z*, x*, x* 2 g 2 ^ 2S ). As q > N, t\ and T2 are independent (in Z g ) and 

( ^* b i ,y* b 2 „- b 2Ui\ //„*6i *&2 -b2^2\ _ 62(^2-^1) 
\ x 1 x 2 »2 // v x 1 x 2 i/2 ) — 92 

has an order of Thus, either B or ^4 is uniformly distributed over G. Assume B has an order 
of q. From independence between t\ and T2, i? is uniformly random over G for fixed A. So by 
calculation the first n bits of KDF(i?) and KDF(A) equal with probability < 2A + 2~ K . Since there 
are A^(A^ — l)/2 pairs of (wi,^), by assumption, the lemma follows. ■ 

Efficiency. Client's cost is dominated by 4 exponentiations for y = (g\, g^ 7 *) and (ko,ki) = 
KDF((0i© 2 r ) r ). Server's cost is dominated by 2 exponentiations for (ko,ki) = KDF(u^ 1+blT 4 2+f,2T ) 
where y = (u\,U2g2 l ) (note he can store g^ 1 )- Here we did not count the verification of y G G by S 
which needs one more exponentiation. However, we can use a recent technique (from our separate 
paper) to slightly modify the protocol so that we can avoid the verification by exponentiation. The 
modification for HPS CS -PAKE is as follows. In Flow\, instead of sending y = (g\,g 1 ^ rlTl ), Client 

i computes y' := (y'i,y' 2 ) '■= {g^^g^ ) and let y = {y'^y'^) and replace y in the original 
Flow\ message by y' . The remaining specification for Client is unchanged. Correspondingly, Server 
computation is as follows. It first recovers y = (2/1,2/2) from y' when receiving Flow\ and the 
remaining specification in Server is unchanged. Denote the modified protocol by HPS* S -PAKE. 
The cost for client and server each increases by 2 squarings, which is tiny. Then, the security 
of HPS C s-PAKE implies the security of HPS* S -PAKE. The proof uses the fact that for y € G, it 
holds that y/y = y^+ 1 )/ 2 . The security of HPS* S -PAKE is obtained by proving that if there is an 
adversary A' against HPS* S -PAKE with success probability prob, then there exists an adversary 
HPS CS -PAKE with the same success probability. The setup of these two protocols are the same. So 
when A receives the setup parameter (desc(<I>) , 0) , it forwards to A'. Upon Send query from A', 
the strategy of A is to forward the query from A' to his own challenger and relay the reply from 
the latter back to A', except y in Flow\ of Send(l, •) query is replaced by y' = yjy. For remaining 
queries Reveal, Corrupt (i), Test from A', A forwards it to his own challenger and replays the 
reply back to A 1 . From this strategy, we know that whatever A' breaches HPS* S -PAKE, A can do 
the same to HPS CS -PAKE. Hence, the security of HPS* S -PAKE follows. Details are omitted here. 
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Appendix A. Proof of Lemma Q] 

Proof. Use 3ft c to denote 3ft when the challenge bit is c. It suffices to show that Pr[„4(3?o) = 1] = 
Pr[v4(3?i) = 1] + negl(K). Let 3?q denote the variant of 3?o> where the first £ Challenge queries 
are answered as in 3?i while the remaining such queries are answered as in 3?o- Let % of Challenge 
queries be bounded by N. Then, 5?q = 9?o and 9?^ = 3?i. If the lemma is violated by A, then by 
hybrid argument, there exists t such that | Pr[^l(3?Q~ 1 ) = 1] — Pr[^4(3?g) = 1]| is non-negligible. 
Let 3?Q,i = I — 1,£ be the variant of 3t!q such that in the Ith. Challenge query, x <— X\L (instead 
of x <— L), where correspondingly Hi t (z,x) is computed using k. By reduction to the hardness of 
X, we have Pr[^(^) = 1] = Pr[.A(&j) = 1] +negl{K). Hence, Pr[^(^" 1 ) = 1] - Vi[A{%) = 1] 
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is non-negligible. We build an adversary T> that uses A to break computationally universal of \P. 
Upon public key pk = (a(k) , desc{\l/)) , T> invokes A with pk and simulates 3?q with it as follows. 
He defines c to be the hidden bit in his challenge key K c (parsed as (a*, s*) in this proof). 

• ith Challenge Query with z from A. Hi ^ £, take x <— D(L) and compute (ao, so) = Hk( z , x ) 
using w. The remaining simulation in this query is normal as in 3?q. If i = £, he takes x* -s— 
D(X\L) and sets (z,x*) to be his test pair (22,^2)- In turn, he will receive K c (parsed as 
(a*, s*)) and then he forwards to A. Then, he updates = U {(z, x* , a*, s*)}. 

• Compute Query (z,x,a,m). If (z,x,a',s') £ for some a',s', verify a using a'; otherwise, he 
issues Evalu query to his challenger with (z,x) and in turn receives (a,s). If (a,s) =_L (hence 
x L) or a ^ MAC a (m), he outputs _L; otherwise, he outputs (a, s). 

At the end of game, V outputs whatever A does. 

Denote the simulated game of V with bit c by Kg" c . Then 3f?g" c is identical to & e ~ c , except 
in the case of x L in Compute query. In this case, the challenger of T> returns (a, s) =_L and 
T> will output _L too while in Kg _c , cr will be verified using a in (a, s) = Hk{x) and (if valid) 
(a, s) is returned. Hence, inconsistency between the two games occurs only if the following event 
occurs to some Compute query (z,x,a,m) in Kq" c : (z,x,*,*) and x L but <r = MAC a (m). 
Denote this event by E. we have that |Pr[^(^ c ) = 1] - Pr[A(R e ~ c ) = 1]| < Pr[E(^~ c )]. We 
claim that Pr[E(9?Q~ c )] = negl(n),c = 0, 1; otherwise, computational universal of ^ can be broken 
by adversary T>' as follows. W.O.L.G, assume Pr[E(!KQ)] is non-negligible. Upon receiving pk, T>' 
simulates by playing the role of T> and the challenger of T>, where pk is the public key, except the 
evaluation of Hk(z,x) is done under his own challenger's help. Specifically, for the ith. Challenge 
query for i 7^ £, he can take x <— L and compute Hk(z,x) with w himself ; For the ith Challenge 
query, he takes x* <— X\L and asks his challenger to evaluate Hk(z,x*) as the first challenge 
(i.e, (#1,2:1) in Definition [3]) ; upon a Compute query (z,x,a,m), he asks his own challenger with 
(z,x) and in turn he will receive (a, s) =_L if x L; Hk(z,x) otherwise. In case of the former, 
he records (z,x) in to a list C and reject normally (as in 5Rq _c ); in case of the latter, answer the 
query using the received H^{z,x) normally. The remaining simulation is normal. This simulation 
is perfectly consistent with Kq _c for both cases c = and 1. At the end of game, if c = 1 (since 
we only consider Kq, not Kq _1 ), he outputs 0/1 randomly; otherwise, he takes (z*,y*) randomly 
from C and ask (z*,y*) as his test challenge (i.e., (^2^2) m Definition [3]) . In turn he will receive 
(a£, s fe)j where (aj, Sq) = Hk(z*,y*) or (ai, si) -s— {0, 1} 2k . Then he reviews all the Compute queries 
in C with forms (z* ,y* ,a,m) for any a, m and denote event a = MAC a *(m) by inc. In case of inc, 
output 0; otherwise output 1. Note if b = 1, then inc occurs to y* negligibly by ungorgeability of 
MAC. If b = 0, then inc event is E event in occurs to (z*,y*). Since any E event must occur 
to some (z,x) in C, inc occurs in P's algorithm for 6 = with probability at least Pr[E(Kg)]/|£|, 
non-negligible. The non-negligible gap of the two cases implies non-negligible advantage of T>', 
contradiction. Hence, Pt[A(^) = 1] - Pr[^4(^" 1 ) = 1] is non-negligible, which is the success 
advantage of T>, contradiction. ■ 

Appendix B. Proof of Lemma [2] 

Proof. Use Left and Right to denote the left and right side of Eq. ([T]) respectively. First of all, 
we show Left > Right by presenting an algorithm „4o achieving Right. Ao simply draws the ball 
from Box 1 until the red ball is picked. Then, he turns to Box 2 using the same strategy, then Box 
3, • • •. If he draws a red ball from Box I before t picks are used up, he succeeds; otherwise, he fails. 
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Let the red ball in Box i be obtained by using Xi picks. Then, it is simple to verify that Xi <— [ai]. 
Hence, the success probability of Aq is exactly the right side of Eq. ([I]) . 

It remains to show that Left < Right. When £ = 0, the conclusion holds trivially since both 
sides are 1. Assume £ > 1. When n = 1, two sides of Eq. ([T]) equal min{t/oi, 1} for the (only) case 
£ = 1. For n > 2 and I > 1. we use induction on £. Note 0t, n ,£( a i, • • ■ , a n ) can always be achieved 
by a deterministic algorithm by computing the maximum success probability over the randomness 
of A. Hence, we assume a deterministic A achieves it. When t = 0, two sides of Eq. ([1]) are zero. 
The conclusion holds trivially. When t = 1, assume the first box chosen by A is j. Then 

&l,n,i( a li ■ - - > a n) 
= a j - 0O,ri,£-l( a l> ' ' ' 3 a j-l) 0> a j+l) " " " j a n) 

+(1 - aj 1 )0o,n/(ai, • • • , dj-i,aj — 1, Oj+i, • • • , a n ) 

= a j 1 • @0,ri-l,£-l( a l) • ' ' ) %'-l)Oj'+l3 • • • , a n ) 

+(1 - aj 1 )@ ,n,^(ai, • • • aj - l,a J+ i, • • • ,o n ) 

If £ = 1, then this gives 0i jn ,t( a ii ' ' ' i a n) = aj 1 < = Right. Hence, Left < Right. 
If I > 2, since 6?o,n-M-i(ai, ■ ■ ■ , Oj-ij Oj+ij ■ ■ ■ ,a n ) = and 

0O,n,i(«l3 ' • • j a j-li a j ~ 1) a j+l) " " " 3 °n) = 0) 

we have that ©i^liflli • • • ,in) = 0. In addition, since xi + • • • + xt > £ > 1, Right = 0. Hence, 
Le/t = Right. 

Now assume Le/£ < Right for £ — 1, which implies -Le/£ = Right for £ — 1 since Le/£ > Right 
is proven at the beginning. We consider £ (£ > 2). Assume the first box chosen by A is j. Then, 

@t,n,e(a\, ■■■ , a n ) 
= o,j ■ @t-i,n,e-i{ a i, • • • ; aj-1,0, aj+i, • • • 3 a n) 

+(1 - aj )&t-i,n,t(ai, ■ ■ ■ ,aj-i,a,j - l,a J+ i, ••• ,a n ) 

= a j 1 ' ®t-l,n-l/-l( a l3 " " " 3 a j-l) a j+l) • • • 3 On) 

+ (1 — O" )@t-l,n/(oi3 • • • 3 a j-l, a j — 1) a j+l3 • • • 3 °n) 

There are two cases. 

Case aj = 1: In this case, we have ©t,n,t{ a ii " ■> a n) = @t-l,n-i,t-l(. a l: ' ' ' > a j-ii a j+i> " ■, °n)- 
Let a*, • • • , a|_ x be I — 1 smallest numbers among {ai, • • • , a n }\{aj}. By induction, 

©t_l,n-M-l(ai, • • • ,aj_i,a j+ i, • • • , a n ) = Pr fx* H h x\_ x < £ - 1 : x* [a*]]. (2) 

If j > £, then a\ = ■ ■ ■ = = 1 as a\ < 02 < • • • < a n . Hence, (a*, • • • , equals (01, • • • , ag-i). 
Therefore, 

Pr [ Y%ll x* < t - 1 : x* <- [a*]} = Pr [ Yfi={ x» < t - 1 : Xi <- [04]]. Since a t = 1, it follows 
that = 1 always holds when x^ <— [a^]. So Pr [ ]T]i=i Xj < £ — 1 : Xi <— [a,]] = Pr [ ^ i=1 Xi < t : 
Xi <— [04]]. The induction holds in this case. 

If j < ^3 then {a^, • • • , a^j^} = {a±, • • • , o 3 -_i, Oj+i, • • • , ai}. Hence, 

PrlStx 1 *? <t-l: <^K]] 
= Pr [ Ei<i<€,i^j < £ - 1 : Si ^- [a.]] 
= PT [J2i=i x i < £ : Xi-<-[oi]] 3 
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where the last '=' holds since aj = 1 and hence Xj = 1 holds always. Hence, the induction holds in 
this case too. 

Case aj > 1 and j > £: In this case, {a±, • • • , ai-i} are £—1 smallest numbers in {a%, • • • , a n }\{aj}. 
By induction assumption on t — 1, we have 



0>j 1 • @t-l,n-l,£-l( a li " " " ) a j-li a j+li " " " i a n) 
«7 1 • Pr [ Ei=i Xi <t-l: Xi*c- [ai]] 



In addition, if aj > a£, {a%, • • • , ag} are £ smallest numbers in {a±, • • • , Oy_i, Oj — 1, Oj+i, • • • , a n }. 
Hence, 



(1 - aj )@t_i )Tl ^(oi, • • • , aj_i, o 3 - — 1, Oj+i, • • 
= (1 - aj 1 ) ■ Pr [Eti a* < t - 1 : x> <- [a,]] 

Therefore, in Eq. ([TJ, we have that Right — Left equals 

i i e-i 

Pr[J^ Xi=t]+ aj 1 ■ Pr[J^ Xi < t - 1] - aj 1 . Pr[^ Xi < t - 1] (3) 

i=l i=l i=l 

We need to show Right — Left > 0. We split event E»=i x « — * ~~ 1 i n ^° * wo sub-events A : 
(£ — 1 >) Ei=i x i — t ~ a t an d B : Ei=i x i < t — 1 — ap. Note in case of event A, there exists 
l<x*<ai such that x^ + E*=i x i = L Hence, Pr[ELi x { = t] - Vi[A] > Pr[E - = i Xi = t A X£ = 
x|] — aj 1 Pt[A] = a^ 1 Pr[A] — a" 1 Pr[j4] > 0. In case of event B, since xg < a a always holds, 
aj 1 Pt[B] < aj 1 PrEi=i x i < t — 1]. Hence, Right > Left holds in this case. 

If aj < ag, then aj = since by assumption aj > for j > £ holds always. In this case, 
{ai, • • • , a^-i, ai — 1} are £ smallest numbers among {a±, • • • , aj-%,aj — 1, Oj+i, • • • , a n }. Hence, 

(1 — aj )&t-i,n,e(ai, ■ ■ ■ > Oj-i, — 1, Oj+i, • • • , an) 
= (1 - a^ 1 ) • Pr [z* + Ei=i ^ < t - 1 : x, <- [a 4 ], x| <- [a* - 1]] 
= (1 - a^ 1 ) ESU 1 Pr \ x \ + Y?i=\ x i <t-lAx* l =u:x i ±- [ ai ],x* e <- [a/ - 1]] 

= a^ 1 Enil 1 Pr [« + 1 + Eti 1 ^ < 1 ■ x i <" < <] 

= Pr [ ELi Xi < ^ A X£ > 1 : Xi<- [ai]] 

Further, aj 1 • 6> t _i jTl _ a ^_i (ai, • • • , aj-i, a j+i , ■ ■ ■ , a n ) 
= aj 1 • Pr [ Ei=i Xi < t - 1 : x, t <- [ai]] 

= Pr [Ej=i Xi < t A X£ = 1 : Xj [aj]]. Combining the above two equations, we have that in 
this case Left = Right. 

Case aj > 1 and j < £: In this case, {a%, ■ ■ ■ , ag}\{aj} are £ — 1 smallest numbers among 
{ai, • • • , a n }\{aj}. By induction assumption on t — 1, we have 

aj 1 • @t_i )ri _i^_i(ai, • • • , Oj-i, Oj+i) • • • j On) 
.T 1 • Pr [ Ei<i<^- a;* < t - 1 : ^ ^ [a,]] 



a 



Pr [Ei<i<£ x i < * A x j = 1 : »i"<-[ai]] 
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Note {ai, • • • , dj-i, aj — 1, Oj+i, • • • , a^} are the £ smallest in {ai, • • • , aj-±,aj — 1, Oj+i, • • • , a n }. 
Hence, 

(1 - aj 1 )@t-i,n/(ai, • • • , a i-i) a i _ 1> ■ ■ ■ , a n) 
= (1 - aj 1 ) Pr [x* + E?=i,i^- Xi <t-l: Xi ^ [a t ],x* <- [aj - 1]] 
= (1 " oj 1 ) E^i 1 Pr [x* + Eli *i < * - 1 A x* = u : x t <- [<n],i + j, x* <- [a, - 1]] 

= aj 1 E^i 1 Pr [u + 1 + Eti,i& x l <t:x l ^ [a^i ± j] 
= Eu=i Pr [ Eti Xi < t A Xj = u + 1 : x, <- [a,]] 
= p r [ Ef=i Xi < t A Xj > 1 : x, <- [ai]] 

Combining the above two equations, we conclude the result in this case. 

As a summary, the induction holds for all cases. This completes the proof. ■ 
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